views:

42

answers:

2

I have started developing a drawing application in as3. I am thinking that I could integrate a cms and allow swf files to be uploaded in runtime as graphics.What are the potensial security issues involving third party possibly malicious swf files here?

I would simply be adding the swf as a custom sprite class to a masked container sprite. Does this open a hole to run other scripts ( js on another server? ) and or give access to the client's computer in unsafe ways?

I would appreciate any recomendations reading and or advice / experience in swf hosting like this. I see this being done on many sites now such as wonderfl and activeden.

A: 

I think instead of saving a whole mess of SWFs on the server, it would be better to serialize your drawing data, and have your main SWF just redraw the drawing based on the loaded data. You can still use a CMS/Database to store and manage this data.

EDIT*

If you need to load SWFs, take a look at Specifying loading context. And maybe also take a read through Loading Content.

TandemAdam
wouldn't he have to use loadBytes to get the serialized data, isn't that even less secure?
PatrickS
Ah yes it would be nice to serialize the drawings if they were only drawings. I was hoping to use swf as vector graphics for complex shapes in the applications canvas, kind of like stickers.
A: 

This is the ActionScript equivalent to XSS. Your domain will no longer be protected by the Same Origin Policy. This can be used by an attacker to hijack a Session ID (Cookie), deface your web site, or deliver exploit code to any browsers visiting your site.

Rook
I'll have to re-read this to get my head around this concept. I am assuming that if a user uploads a swf as a graphic inside the application and it is then saved on the server. When another user opens the application again that loads that same swf, the default will not allow that swf cross domain access.
I guess if I were to follow this path it does open another hole for someone to exploit, but it's not like that wouldn't require specific significant effort. I guess the kind of exploit that this leaves is the exploits Adobe deals with. Although I am probably still overlooking something. Would you think a server-side virus scanner to scan the swf might be appropriate before another user has the swf graphics loaded into their client instance?
@user332096 cross domain access doesn't come into play. The issue here is that you are allowing a SWF file to be uploaded and then executed. This SWF file will be run in the context of your domain, and could contain anything. A virus scanner can make sure that this swf file isn't exploiting flash, but it could still be a very simple exploit that is grabbing `document.cookie` and transmitting it to another domain. As long as the author is the only one able to access his uploaded swf file, then it can't be used to obtain another users cookie and this limits the impact significantly.
Rook
very good ok Rook I understand, the swf will be trusted by the domain it comes from. This is a big concern.
@user332096 thank you, i am happy to help. i think you now understand a bigger set of problems in web app security.
Rook